At Pure, we're committed to having the highest quality processes and procedures in place in order to be fully compliant with all current legislation.
We've been reviewing our existing policies and procedures in relation to the GDPR legislation which came into force on 25 May 2018. We have reviewed the candidate journey and have spent time assessing how we process candidate and client data to ensure it is fully compliant with the current legislation.
We have a GDPR project team in place led by a project manager who is reviewing all of our data processes and reviewing our data security procedures. We now have a compliant process in place regarding the notification of a data breach, information for our candidates and clients about how data will be used and the right to erasure.
Definition of ‘Data Controller’ under the GDPR
The data controller determines the purposes for which and how personal data is processed. It can do this either on its own or jointly or in common with other organisations. This means that the data controller exercises overall control over the ‘why’ and the ‘how’ of a data processing activity. The definition provides flexibility, for example it can allow one data controller mainly, but not exclusively, control the purpose of the processing with another data controller. It may also allow another data controller to have some say in determining the purpose whilst being mainly responsible for controlling the manner of the processing.
The legal responsibility for compliance falls directly on the data controller and not on the data processor.
Our approach to data protection
1.1 Pure (Pure Resourcing Solutions Ltd) confirm that they shall be a data controller in relation to relevant personal data laws. When we submit a candidate for consideration concerning a permanent, temporary or contract position with our client both Pure and our client(s) will be data controllers. Each party shall comply with its obligations as a data controller under current Data Protection Law.
Pure will ensure that:
1.1.1 all relevant personal data has been collected and disclosed in accordance with the Data Protection Law;
1.1.2 the relevant personal data is accurate and up to date;
1.1.3 it has provided the Candidates and Client contacts with a Privacy Notice on its own behalf whether in writing or by provision of a new or updated electronic link;
1.1.4 it has obtained the consent of the Candidate to:
(a) transfer of the Relevant Personal Data to the Client;
(b) the processing of the Relevant Personal Data for the purposes of temporary and permanent recruitment
(c) it will immediately notify relevant clients in the event that a Candidate withdraws or amends this consent.
1.2 Pure shall not process Relevant Personal Data for any purposes other than providing recruitment services to our clients and candidates.
1.3 Pure shall transfer Relevant Personal Data using appropriate technical and organisational security measures including, but not limited to, using encryption and password protection.
1.4 Pure shall:
1.4.1 implement and maintain appropriate technical and organisational measures to preserve the confidentiality and integrity of the Relevant Personal Data and prevent any unlawful processing or disclosure or damage, taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of the Candidates. Pure will not disclose any Relevant Personal Data to any third party in any circumstances except as required or permitted by a legal request or requirement.
1.4.2 notify relevant Candidates and Clients promptly, and in any event, within 24 hours of any known breach of technical and organisational Security Measures where the breach has affected or could have affected the Relevant Personal Data ("Security Breach");
1.4.3 notify the relevant Candidates and Clients promptly, and in any event, within 24 hours if it receives any request or enquiry from a Data Protection Regulator or Data Subject with regard to the Relevant Personal Data, and keep the affected data subjects regularly updated as to how it handles such request or enquiry;
1.4.4 take reasonable steps to ensure the reliability of any of its employees, agents and sub-contractors who have access to the Relevant Personal Data;
1.4.5 ensure that only those of its employees, agents and sub-contractors who need to have access to the Relevant Personal Data are granted such access to the Relevant Personal Data and only for the purposes of providing recruitment services; and
1.4.6 ensure that the employees, agents and sub-contractors who have access to the Relevant Personal Data:
(a) are informed of the confidential nature of the Relevant Personal Data and are subject to appropriate contractual obligations of confidentiality;
(b) undergo training in Data Protection Law and in the care and handling of Personal Data; and
(c) comply with the obligations set out in this clause.
What we are working on
We have completed a full data audit to review where our data is held, stored and processed. Our servers are within the European Economic Area (EEA) and we have obtained proof from any suppliers that the relevant safeguards are in place to protect the personal data where we transfer or share data outside of the EEA.
All possible precautions have been implemented to mitigate the risk of a data breach and protect personal data.
Any amends to our standard contracts have been communicated to all necessary parties.
If you have any other questions relating to how your data is processed please contact privacy@prs.uk.com.